Code of Massachusetts Regulations
957 CMR - CENTER FOR HEALTH INFORMATION AND ANALYSIS
Title 957 CMR 5.00 - HEALTH CARE CLAIMS, CASE MIX AND CHARGE DATA RELEASE PROCEDURES
Section 5.06 - All Other Requests for Data

Universal Citation: 957 MA Code of Regs 957.5

Current through Register 1531, September 27, 2024

(1) Requests for Data that do not fall under the categories described in 957 CMR 5.03, 5.04 or 5.05 shall be made in writing by filing an application with CHIA in a form specified by CHIA as provided on its Website.

(2) In any application for Data under 957 CMR 5.06, each Applicant shall:

(a) identify and demonstrate a need for the Protected Health Information requested and for those specific data elements CHIA deems necessary to protect individual privacy;

(b) specify the purpose of the request, including the intended use(s) of the Data, a detailed project description that describes any other data sources to be used for the project and, if applicable, the research methodology;

(c) specify security and privacy measures that will be taken in order to safeguard patient privacy and prevent unauthorized access to or use of the Data;

(d) specify the Applicant's methodology for maintaining data integrity and accuracy; and

(e) describe how, or if, the results of the Applicant's analysis will be published.

(3) Applicants requesting Protected Health Information of Medicaid recipients will be required to demonstrate compliance with 42 U.S.C. § 1396a(a)(7) to the satisfaction of both CHIA and the Executive Office of Health and Human Services.

(4) Applicants requesting Medicare Data will be required to demonstrate compliance with CMS requirements regarding access to and use of such Data.

(5) Applications for Data filed under 957 CMR 5.06 will be posted on CHIA's Website. CHIA will not post those portions of applications that specify an Applicant's proposed data security measures.

(6) CHIA will invite public comments on applications for at least ten business days following the day on which the application is posted on the Website.

(7) Applications for Data under 957 CMR 5.06 shall be reviewed by a Data Privacy Committee comprised of CHIA employees or contractors with relevant experience in data privacy, data security, information technology and research.

(a) In reviewing each application for Data submitted pursuant to 957 CMR 5.06, the Data Privacy Committee shall determine whether the Applicant has met the criteria for release specified in 957 CMR 5.06(9).

(b) The Data Privacy Committee shall prepare a written recommendation for the Executive Director specifying whether the application should be approved, approved with conditions or denied.

(8) All applications for Data under 957 CMR 5.06 shall be reviewed by the Data Release Committee established under 957 CMR 5.08.

(9) The Executive Director will approve an application if he or she determines that the Applicant has met the following criteria:

(a) There is no more than a minimal risk to individual privacy based on:
1. an adequate plan to protect Protected Health Information;

2. a written commitment to return or destroy Data upon completion of the project for which the Data is sought; and

3. written assurances restricting the use of Data to the specific uses identified in the application.

(b) The Applicant cannot meet its research or project objectives without the requested Data.

(c) The Data sought by the Applicant is the minimum amount necessary to achieve the Applicant's research or project objectives.

(d) The purpose for which the Data is requested is in the public interest. Uses that serve the public interest include, but are not limited to:
1. health cost and utilization analysis to formulate public policy;

2. studies that promote improvement in population health, health care quality or access;

3. health planning and resource allocation studies; and

4. studies directly tied to evaluation or improvement of Massachusetts state government initiatives.

(e) The Applicant has demonstrated it is qualified to undertake the study or accomplish the intended use.

(10) The Executive Director's decisions to approve or deny applications for Data are final and not subject to further review or appeal.

(11) The Executive Director may impose conditions on the subsequent use and disclosure of any Data released under 957 CMR 5.06.

(12) All Applicants for Data shall enter into a Data Use Agreement with CHIA prior to the receipt of any Data. The Data Use Agreement shall, at a minimum:

(a) Restrict the use of the Data to those uses identified in the application and approved by the Executive Director;

(b) Commit the Applicant to return or destroy the Data received from CHIA upon completion of the project for which the use of the Data was approved. All data destruction must comport with M.G.L. c. 931 and any other applicable state or federal law;

(c) Require the Applicant to adhere to processes and procedures aimed at preventing unauthorized access, disclosure or use of the Data;

(d) Require the Applicant to notify CHIA of any unauthorized use or disclosure of the Data;

(e) Permit CHIA, at its discretion, to review all analyses, research or other products created or based on Protected Health Information provided by CHIA prior to the release or disclosure of any such analysis, research or product; and

(f) Permit CHIA, at its discretion, to audit the Applicant's compliance with the provisions of the Data Use Agreement.

Disclaimer: These regulations may not be the most recent version. Massachusetts may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.